I believe the solution to this is something fundamental i'm
missing about the Coldfusion/WebDevelopment .

I'm having trouble with CF security settings (login/logout)
and session variables. Specifically I encounter an error saying
'session.rdbclient is undefined.' (rdbclient is much like a
shopping cart; must maintain persistence). This occurs when the
user closes the browser goes off and does something else meanwhile
the session expires. So when they come back to my site they are
still logged in and attempt to put things in the cart
(session.rdbclient) and then it chokes saying it's undefined,
obviously. Now, I know it works correctly when the user actually
logs out instead of the closing the browser window.
How do I solve this so that the user can click logout OR
close the browser (and delete the session variables in both cases)?
I'm including my Application.cfm below (hopefully it's not
too much code).

It is important to note that using per-session cookies does
not clear
the session data when the browser closes. There is almost NO
WAY for
the server to EVER know when a user closes the browser (Yes,
sometime
one can do something with on JavaScript, but this it not very
reliable).

What this does is tell the browser to throw away the CFID and
CFTOKEN
cookie values that connect a browser to a single session when
it is
closed. Thus when the browser is opened again and connects to
the
application - it gets a new session and associated session
variables
connect with new CFID and CFTOKEN cookie values.

The old session will not go away until it timeouts after the
specified
inactivity time period.

Simple, you need to force CF to set session cookies instead
of persistent cookies. You can do this by using the application
setting "setClientCookies", like so. Then, use cfset to create a
cookie by referencing the cookie scope. Default will be to expire
the cookie on close. New sessions every time.

After which timeout? You've defined two, a session timeout
and a login timeout. What is your application doing with the roles,
I wonder. What happens when session.rdbClient exists, but login
auth does not? First thing I would try doing is setting your
session and login timeouts to the same value to avoid persisting
some data that you only create under unrelated circumstances.

Also, while picking through your code I figure I'd let you
know that this: